Is any proof required for someone to report an extension

My extension was reported as having an "SQL Injection" vulnerability. Is there any more information available? A test case? Is any proof required for someone to report an extension to the VEL?.

ResponseWe ask for as much information as possible. Where the report is missing vital information we may email the report to the developer before taking action. Where the information is plausible and highly likely to be an active exploit we will unpublish and email the original report to the developer.